@floomhq/floom-mcp-sync 1.0.6 → 1.0.8

package/dist/lib/manifest.js

@@ -1,11 +1,13 @@
 import { constants } from "node:fs";
-import { lstat, mkdir, open, rename } from "node:fs/promises";
+import { lstat, mkdir, open, rename, rm, stat } from "node:fs/promises";
 import { dirname, join, relative, resolve, sep } from "node:path";
 import { configPath } from "./paths.js";
 const MANIFEST_VERSION = 1;
 const SLUG_RE = /^[A-Za-z0-9_-]{1,128}$/;
 const FD_PATH_ROOT = "/proc/self/fd";
-function manifestPath() {
+const LOCK_TIMEOUT_MS = 15_000;
+const LOCK_STALE_MS = 5 * 60_000;
+export function syncManifestPath() {
     return join(dirname(configPath()), "sync-manifest.json");
 }
 function emptyManifest() {
@@ -15,18 +17,33 @@ function isEntryForKey(key, value) {
     if (!value || typeof value !== "object")
         return false;
     const entry = value;
-    return (typeof entry.hash === "string" &&
+    if (typeof entry.hash === "string" &&
         typeof entry.slug === "string" &&
         typeof entry.target === "string" &&
         typeof entry.syncedAt === "string" &&
         entry.target === key &&
-        SLUG_RE.test(entry.slug) &&
-        key.split("/").at(-1) === `${entry.slug}.md`);
+        SLUG_RE.test(entry.slug)) {
+        const segments = key.split("/");
+        const slugIndex = segments.lastIndexOf(entry.slug);
+        const packagePath = slugIndex >= 0 ? segments.slice(slugIndex + 1) : [];
+        return isPackageFilePath(packagePath);
+    }
+    return false;
+}
+function isPackageFilePath(packagePath) {
+    if (packagePath.length === 1 && packagePath[0] === "SKILL.md")
+        return true;
+    if (packagePath.length < 2)
+        return false;
+    const first = packagePath[0];
+    if (first === undefined || !["references", "examples", "scripts", "assets"].includes(first))
+        return false;
+    return packagePath.every((segment) => segment !== "." && segment !== ".." && segment.length > 0);
 }
 export async function readSyncManifest() {
     try {
         await ensureSyncManifestDir();
-        const handle = await open(manifestPath(), constants.O_RDONLY | constants.O_NOFOLLOW);
+        const handle = await open(syncManifestPath(), constants.O_RDONLY | constants.O_NOFOLLOW);
         let body;
         try {
             body = await handle.readFile("utf8");
@@ -55,7 +72,7 @@ export async function readSyncManifest() {
 }
 export async function writeSyncManifest(manifest) {
     await ensureSyncManifestDir();
-    const path = manifestPath();
+    const path = syncManifestPath();
     const dirPath = dirname(path);
     const dir = await open(dirPath, constants.O_RDONLY | constants.O_DIRECTORY | constants.O_NOFOLLOW);
     const tmpBase = `sync-manifest.json.${process.pid}.${Date.now()}`;
@@ -94,7 +111,7 @@ function childPath(parent, fallbackParent, name) {
     return join(resolve(fallbackParent), name);
 }
 export async function ensureSyncManifestDir() {
-    const path = manifestPath();
+    const path = syncManifestPath();
     const dir = dirname(path);
     await mkdir(dir, { recursive: true, mode: 0o700 });
     const stat = await lstat(dir);
@@ -109,6 +126,43 @@ export async function ensureSyncManifestDir() {
         throw err;
     }
 }
+export async function withSyncLock(fn) {
+    await ensureSyncManifestDir();
+    const lockPath = join(dirname(syncManifestPath()), "sync.lock");
+    const startedAt = Date.now();
+    for (;;) {
+        try {
+            await mkdir(lockPath, { mode: 0o700 });
+            break;
+        }
+        catch (err) {
+            if (err.code !== "EEXIST")
+                throw err;
+            try {
+                const lockStat = await stat(lockPath);
+                if (Date.now() - lockStat.mtimeMs > LOCK_STALE_MS) {
+                    await rm(lockPath, { recursive: true, force: true });
+                    continue;
+                }
+            }
+            catch (statErr) {
+                if (statErr.code === "ENOENT")
+                    continue;
+                throw statErr;
+            }
+            if (Date.now() - startedAt > LOCK_TIMEOUT_MS) {
+                throw new Error("Timed out waiting for Floom sync lock.");
+            }
+            await new Promise((resolveDelay) => setTimeout(resolveDelay, 50));
+        }
+    }
+    try {
+        return await fn();
+    }
+    finally {
+        await rm(lockPath, { recursive: true, force: true }).catch(() => { });
+    }
+}
 export function manifestKey(root, target) {
     const relativeTarget = relative(resolve(root), resolve(target));
     if (relativeTarget === ".." || relativeTarget.startsWith(`..${sep}`)) {

package/dist/lib/paths.js

@@ -4,25 +4,22 @@ import { assertValidSlug } from "./slug.js";
 export function configPath() {
     return process.env.FLOOM_CONFIG_PATH ?? join(homedir(), ".floom", "config.json");
 }
-export function agentTarget() {
-    const raw = (process.env.FLOOM_TARGET ?? process.env.FLOOM_AGENT_TARGET ?? "claude").toLowerCase();
-    if (raw === "codex")
-        return "codex";
-    if (raw === "claude")
-        return "claude";
-    throw new Error("Invalid FLOOM_TARGET. Use claude or codex.");
-}
 export function skillsDir() {
-    if (process.env.FLOOM_SKILLS_DIR)
-        return process.env.FLOOM_SKILLS_DIR;
-    if (agentTarget() === "codex") {
-        const codexHome = process.env.CODEX_HOME ?? join(homedir(), ".codex");
-        return process.env.CODEX_SKILLS_DIR ?? join(codexHome, "skills");
-    }
-    return process.env.CLAUDE_SKILLS_DIR ?? join(homedir(), ".claude", "skills");
+    return expandHome(process.env.FLOOM_SKILLS_DIR
+        ?? process.env.CLAUDE_SKILLS_DIR
+        ?? process.env.CODEX_SKILLS_DIR
+        ?? join(homedir(), ".claude", "skills"));
+}
+function expandHome(path) {
+    if (path === "~")
+        return homedir();
+    if (path.startsWith("~/"))
+        return join(homedir(), path.slice(2));
+    return path;
 }
 export function skillPath(slug) {
-    return join(skillsDir(), `${slug}.md`);
+    assertValidSlug(slug);
+    return join(skillsDir(), slug, "SKILL.md");
 }
 const PATH_SEGMENT_RE = /^[a-z0-9._-]{1,128}$/;
 function safePathSegments(value, label) {
@@ -37,12 +34,12 @@ function safePathSegments(value, label) {
     return segments;
 }
 /**
- * Compute the on-disk path for a skill given optional folder + library
- * grouping. Version 1 preview uses owned skills at the skills root or inside
- * `<folder>/`. Library grouping remains a later-version path shape.
+ * Compute the on-disk path for a skill package given optional folder + library
+ * grouping. Native Claude/Codex packages are written as
+ * `<slug>/SKILL.md`, with folder/library segments above the package root.
  *
- * The slug always becomes the filename. Folder/library segments must already
- * be validated by the API (server-side regex enforces lowercase tokens).
+ * The slug always becomes the package directory. Folder/library segments must
+ * already be validated by the API (server-side regex enforces lowercase tokens).
  */
 export function skillTargetPath(opts) {
     assertValidSlug(opts.slug);
@@ -50,7 +47,7 @@ export function skillTargetPath(opts) {
     const segments = [root];
     segments.push(...safePathSegments(opts.librarySlug, "library slug"));
     segments.push(...safePathSegments(opts.folder, "folder"));
-    segments.push(`${opts.slug}.md`);
+    segments.push(opts.slug, "SKILL.md");
     const target = join(...segments);
     const relativeTarget = relative(resolve(root), resolve(target));
     if (relativeTarget === ".." || relativeTarget.startsWith(`..${sep}`) || isAbsolute(relativeTarget)) {

package/dist/server.js

@@ -2,28 +2,20 @@
 import { createInterface } from "node:readline";
 import { stdin, stdout } from "node:process";
 import { autoSync } from "./auto-sync.js";
-import { installSkill } from "./tools/install.js";
-import { publishSkill } from "./tools/publish.js";
-import { listLibraries, moveSkill, subscribeLibrary, unsubscribeLibrary, } from "./tools/libraries.js";
+import { getSkill } from "./tools/get.js";
 import { searchSkills } from "./tools/search.js";
-import { agentTarget, skillsDir } from "./lib/paths.js";
-const SERVER_VERSION = "1.0.6";
+import { syncStatus } from "./tools/status.js";
+const SERVER_VERSION = "1.0.8";
 const DEFAULT_INTERVAL_MS = 60_000;
 const MIN_INTERVAL_MS = 10_000;
-const VERSION_RE = /^[A-Za-z0-9][A-Za-z0-9._+-]{0,63}$/;
-const VISIBILITIES = new Set(["unlisted", "public", "private"]);
-const ASSET_TYPES = new Set(["knowledge", "instruction", "workflow", "skill"]);
 const SEARCH_TYPES = new Set(["knowledge", "instruction", "workflow", "skill"]);
-const FOLDER_RE = /^[a-z0-9][a-z0-9._-]*(\/[a-z0-9][a-z0-9._-]*)*$/;
-const INSTALL_TARGETS = new Set([
-    "claude_skill",
-    "memory",
-    "rule",
-    "codex_instruction",
-    "opencode_instruction",
-    "cursor_rule",
-    "other",
-]);
+let syncInFlight = null;
+function runAutoSync() {
+    syncInFlight ??= autoSync().finally(() => {
+        syncInFlight = null;
+    });
+    return syncInFlight;
+}
 function usage() {
     return `
 floom-mcp-sync v${SERVER_VERSION}
@@ -34,9 +26,7 @@ Usage
 
 Behavior
   Starts a stdio MCP server.
-  Syncs published, saved, and followed library skills into the configured local skills directory.
-  Requires a signed-in Floom CLI account for account-backed sync.
-  Public and unlisted shared-link installs still work through floom_install_skill without an account.
+  Syncs Floom skills into native Claude/Codex package folders.
   Polls for updates while the MCP process is running.
 
 Options
@@ -45,10 +35,9 @@ Options
 
 Env
   FLOOM_API_URL              Override the API host.
-  FLOOM_TARGET               claude or codex. Default: claude.
-  FLOOM_SKILLS_DIR           Override the local skills directory directly.
-  CLAUDE_SKILLS_DIR          Override Claude's skills directory.
-  CODEX_SKILLS_DIR           Override Codex's skills directory.
+  FLOOM_SKILLS_DIR           Override the native skills directory.
+  CLAUDE_SKILLS_DIR          Claude skills directory override.
+  CODEX_SKILLS_DIR           Codex skills directory override.
   FLOOM_SYNC_INTERVAL_MS     Poll interval in milliseconds. Minimum: 10000.
 `.trimStart();
 }
@@ -91,7 +80,7 @@ function startPolling(intervalMs, state) {
             return;
         }
         state.inFlight = true;
-        autoSync().catch((err) => {
+        runAutoSync().catch((err) => {
             process.stderr.write(`[floom] poll failed: ${err instanceof Error ? err.message : String(err)}\n`);
         }).finally(() => {
             state.inFlight = false;
@@ -103,7 +92,7 @@ function toolList() {
         tools: [
             {
                 name: "floom_search_skills",
-                description: "Search public Floom skills before recreating reusable behavior from scratch.",
+                description: "Search public Floom skills through the live API.",
                 inputSchema: {
                     type: "object",
                     properties: {
@@ -117,8 +106,8 @@ function toolList() {
                 },
             },
             {
-                name: "floom_install_skill",
-                description: "Fetch a Floom skill by slug and install it into the configured local skills directory. Public and unlisted links do not require an account.",
+                name: "floom_get_skill",
+                description: "Fetch full Floom skill content by slug on demand.",
                 inputSchema: {
                     type: "object",
                     properties: {
@@ -129,26 +118,8 @@ function toolList() {
                 },
             },
             {
-                name: "floom_publish_skill",
-                description: "Publish Markdown content to the signed-in Floom account as a skill. Requires CLI login/config.",
-                inputSchema: {
-                    type: "object",
-                    properties: {
-                        name: { type: "string", minLength: 1, maxLength: 200 },
-                        content: { type: "string", minLength: 1, maxLength: 500_000 },
-                        description: { type: "string", maxLength: 1000 },
-                        visibility: { type: "string", enum: [...VISIBILITIES] },
-                        asset_type: { type: "string", enum: [...ASSET_TYPES] },
-                        installs_as: { type: ["string", "null"], enum: [...INSTALL_TARGETS, null] },
-                        version: { type: "string", pattern: "^[A-Za-z0-9][A-Za-z0-9._+-]{0,63}$" },
-                    },
-                    required: ["name", "content"],
-                    additionalProperties: false,
-                },
-            },
-            {
-                name: "floom_list_libraries",
-                description: "List public Floom libraries.",
+                name: "floom_status",
+                description: "Report local Floom sync manifest and drift counts.",
                 inputSchema: {
                     type: "object",
                     properties: {},
@@ -156,44 +127,11 @@ function toolList() {
                 },
             },
             {
-                name: "floom_subscribe_library",
-                description: "Follow a Floom library for the signed-in user so its skills sync locally.",
-                inputSchema: {
-                    type: "object",
-                    properties: {
-                        slug: { type: "string", minLength: 1, maxLength: 64 },
-                    },
-                    required: ["slug"],
-                    additionalProperties: false,
-                },
-            },
-            {
-                name: "floom_unsubscribe_library",
-                description: "Unfollow a Floom library for the signed-in user.",
+                name: "floom_sync",
+                description: "Run one foreground sync into the native local skills directory.",
                 inputSchema: {
                     type: "object",
-                    properties: {
-                        slug: { type: "string", minLength: 1, maxLength: 64 },
-                    },
-                    required: ["slug"],
-                    additionalProperties: false,
-                },
-            },
-            {
-                name: "floom_move_skill",
-                description: "Set a signed-in user's local folder/tags override for a Floom skill.",
-                inputSchema: {
-                    type: "object",
-                    properties: {
-                        slug: { type: "string", minLength: 1, maxLength: 128 },
-                        folder: { type: ["string", "null"], maxLength: 256 },
-                        tags: {
-                            type: "array",
-                            items: { type: "string", minLength: 1, maxLength: 64 },
-                            maxItems: 32,
-                        },
-                    },
-                    required: ["slug", "folder"],
+                    properties: {},
                     additionalProperties: false,
                 },
             },
@@ -205,6 +143,12 @@ function asObject(value) {
         throw new Error("Expected object arguments.");
     return value;
 }
+function assertOnlyKeys(value, allowed, label) {
+    const allowedSet = new Set(allowed);
+    const extra = Object.keys(value).find((key) => !allowedSet.has(key));
+    if (extra)
+        throw new Error(`Unexpected ${label} argument: ${extra}`);
+}
 function asString(value, label, min, max) {
     if (typeof value !== "string" || value.length < min || value.length > max) {
         throw new Error(`Invalid ${label}.`);
@@ -218,13 +162,6 @@ function optionalString(value, label, max) {
         throw new Error(`Invalid ${label}.`);
     return value;
 }
-function enumValue(value, label, allowed, fallback) {
-    if (value === undefined)
-        return fallback;
-    if (typeof value !== "string" || !allowed.has(value))
-        throw new Error(`Invalid ${label}.`);
-    return value;
-}
 function optionalEnumValue(value, label, allowed) {
     if (value === undefined)
         return undefined;
@@ -232,22 +169,6 @@ function optionalEnumValue(value, label, allowed) {
         throw new Error(`Invalid ${label}.`);
     return value;
 }
-function nullableEnumValue(value, label, allowed, fallback) {
-    if (value === undefined)
-        return fallback;
-    if (value === null)
-        return null;
-    if (typeof value !== "string" || !allowed.has(value))
-        throw new Error(`Invalid ${label}.`);
-    return value;
-}
-function optionalStringArray(value, label, maxItems, maxLength) {
-    if (value === undefined)
-        return [];
-    if (!Array.isArray(value) || value.length > maxItems)
-        throw new Error(`Invalid ${label}.`);
-    return value.map((item) => asString(item, label, 1, maxLength));
-}
 function optionalInteger(value, label, min, max) {
     if (value === undefined)
         return undefined;
@@ -256,22 +177,16 @@ function optionalInteger(value, label, min, max) {
     }
     return value;
 }
-function nullableFolder(value) {
-    if (value === null)
-        return null;
-    const folder = asString(value, "folder", 1, 256);
-    if (!FOLDER_RE.test(folder))
-        throw new Error("Invalid folder.");
-    return folder;
-}
 async function callTool(params) {
     const parsed = asObject(params);
     const name = asString(parsed.name, "tool name", 1, 200);
     const args = asObject(parsed.arguments ?? {});
-    if (name === "floom_install_skill") {
-        return ok(await installSkill(asString(args.slug, "slug", 1, 128)));
+    if (name === "floom_get_skill") {
+        assertOnlyKeys(args, ["slug"], "floom_get_skill");
+        return ok(await getSkill(asString(args.slug, "slug", 1, 128)));
     }
     if (name === "floom_search_skills") {
+        assertOnlyKeys(args, ["query", "library", "type", "limit"], "floom_search_skills");
         const opts = {};
         const library = optionalString(args.library, "library", 64);
         const type = optionalEnumValue(args.type, "type", SEARCH_TYPES);
@@ -284,23 +199,13 @@ async function callTool(params) {
             opts.limit = limit;
         return ok(await searchSkills(asString(args.query, "query", 1, 120), opts));
     }
-    if (name === "floom_publish_skill") {
-        const version = optionalString(args.version, "version", 64);
-        if (version !== undefined && !VERSION_RE.test(version))
-            throw new Error("Invalid version.");
-        return ok(await publishSkill(asString(args.name, "name", 1, 200), asString(args.content, "content", 1, 500_000), optionalString(args.description, "description", 1000), enumValue(args.visibility, "visibility", VISIBILITIES, "unlisted"), enumValue(args.asset_type, "asset_type", ASSET_TYPES, "skill"), nullableEnumValue(args.installs_as, "installs_as", INSTALL_TARGETS, "claude_skill"), version));
-    }
-    if (name === "floom_list_libraries") {
-        return ok(await listLibraries());
+    if (name === "floom_status") {
+        assertOnlyKeys(args, [], "floom_status");
+        return ok(await syncStatus());
     }
-    if (name === "floom_subscribe_library") {
-        return ok(await subscribeLibrary(asString(args.slug, "slug", 1, 64)));
-    }
-    if (name === "floom_unsubscribe_library") {
-        return ok(await unsubscribeLibrary(asString(args.slug, "slug", 1, 64)));
-    }
-    if (name === "floom_move_skill") {
-        return ok(await moveSkill(asString(args.slug, "slug", 1, 128), nullableFolder(args.folder), optionalStringArray(args.tags, "tags", 32, 64)));
+    if (name === "floom_sync") {
+        assertOnlyKeys(args, [], "floom_sync");
+        return ok(await runAutoSync());
     }
     throw new Error(`Unknown tool: ${name}`);
 }
@@ -326,12 +231,7 @@ async function handleRequest(message) {
             stdout.write(response(id, {
                 protocolVersion: "2025-06-18",
                 capabilities: { tools: {} },
-                serverInfo: {
-                    name: "floom-mcp-sync",
-                    version: SERVER_VERSION,
-                    target: agentTarget(),
-                    skillsDir: skillsDir(),
-                },
+                serverInfo: { name: "floom-mcp-sync", version: SERVER_VERSION },
             }));
             return;
         }
@@ -357,9 +257,9 @@ async function main() {
     if (handleCliArgs(process.argv.slice(2)))
         return;
     const intervalMs = resolvePollIntervalMs();
-    process.stderr.write(`[floom] starting sync poller for ${agentTarget()} at ${skillsDir()} (interval ${intervalMs}ms)\n`);
+    process.stderr.write(`[floom] starting sync poller (interval ${intervalMs}ms)\n`);
     const syncState = { inFlight: true };
-    void autoSync().catch((err) => {
+    void runAutoSync().catch((err) => {
         process.stderr.write(`[floom] initial sync failed: ${err instanceof Error ? err.message : String(err)}\n`);
     }).finally(() => {
         syncState.inFlight = false;

package/dist/tools/get.js

@@ -0,0 +1,111 @@
+import { createHash } from "node:crypto";
+import { apiUrlFromConfig, DEFAULT_API_URL, readConfig } from "../lib/config.js";
+import { getJson } from "../lib/api.js";
+import { assertValidSlug } from "../lib/slug.js";
+const PACKAGE_FILE_LIMIT = 100;
+const PACKAGE_FILE_BYTES_LIMIT = 500_000;
+const PACKAGE_TOTAL_BYTES_LIMIT = 1_000_000;
+const PATH_SEGMENT_RE = /^[A-Za-z0-9._-]{1,128}$/;
+const SUPPORT_DIRS = new Set(["references", "examples", "scripts", "assets"]);
+const SHA256_RE = /^[a-f0-9]{64}$/i;
+const BASE64_RE = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+export async function getSkill(slug) {
+    assertValidSlug(slug);
+    const cfg = await readConfig();
+    const apiUrl = cfg ? apiUrlFromConfig(cfg) : (process.env.FLOOM_API_URL ?? DEFAULT_API_URL).replace(/\/$/, "");
+    const detail = await getJson(`${apiUrl}/api/v1/skills/${encodeURIComponent(slug)}`, cfg?.accessToken);
+    if (!detail || typeof detail.slug !== "string" || typeof detail.body_md !== "string") {
+        throw new Error("Invalid skill response");
+    }
+    return {
+        slug: detail.slug,
+        title: typeof detail.title === "string" ? detail.title : null,
+        description: typeof detail.description === "string" ? detail.description : null,
+        type: typeof detail.asset_type === "string" ? detail.asset_type : "skill",
+        version: typeof detail.version === "string"
+            ? detail.version
+            : typeof detail.skill_version === "string"
+                ? detail.skill_version
+                : null,
+        content: detail.body_md,
+        package: {
+            main: "SKILL.md",
+            supporting_dirs: ["references", "examples", "scripts", "assets"],
+        },
+        package_files: normalizePackageFiles(detail.package_files ?? detail.files),
+    };
+}
+function normalizePackageFiles(raw) {
+    if (!Array.isArray(raw))
+        return [];
+    if (raw.length > PACKAGE_FILE_LIMIT)
+        throw new Error("Invalid skill package response");
+    let totalBytes = 0;
+    return raw.flatMap((file) => {
+        if (!file || typeof file !== "object")
+            return [];
+        const candidate = file;
+        if (typeof candidate.path !== "string" || !isSafePackagePath(candidate.path))
+            return [];
+        const out = { path: candidate.path };
+        if (typeof candidate.encoding === "string")
+            out.encoding = candidate.encoding;
+        if (typeof candidate.size_bytes === "number") {
+            if (!Number.isInteger(candidate.size_bytes) || candidate.size_bytes < 0 || candidate.size_bytes > PACKAGE_FILE_BYTES_LIMIT)
+                return [];
+            out.size_bytes = candidate.size_bytes;
+            totalBytes += candidate.size_bytes;
+            if (totalBytes > PACKAGE_TOTAL_BYTES_LIMIT)
+                throw new Error("Invalid skill package response");
+        }
+        if (typeof candidate.sha256 === "string") {
+            if (!SHA256_RE.test(candidate.sha256))
+                return [];
+            out.sha256 = candidate.sha256.toLowerCase();
+        }
+        if (typeof candidate.content_hash === "string" && SHA256_RE.test(candidate.content_hash)) {
+            out.content_hash = candidate.content_hash.toLowerCase();
+        }
+        if (typeof candidate.content_base64 === "string") {
+            if ((candidate.encoding ?? "base64") !== "base64")
+                return [];
+            if (!BASE64_RE.test(candidate.content_base64))
+                return [];
+            const bytes = Buffer.from(candidate.content_base64, "base64");
+            if (bytes.length > PACKAGE_FILE_BYTES_LIMIT)
+                return [];
+            if (out.size_bytes !== undefined && out.size_bytes !== bytes.length)
+                return [];
+            const expectedHash = out.sha256 ?? out.content_hash;
+            if (!expectedHash)
+                return [];
+            const actualHash = createHash("sha256").update(bytes).digest("hex");
+            if (actualHash !== expectedHash)
+                return [];
+            out.content_base64 = candidate.content_base64;
+            if (out.size_bytes === undefined)
+                totalBytes += bytes.length;
+            out.size_bytes = bytes.length;
+            out.sha256 = expectedHash;
+        }
+        if (typeof candidate.content === "string")
+            out.content = candidate.content;
+        if (typeof candidate.body === "string")
+            out.body = candidate.body;
+        if (typeof candidate.body_md === "string")
+            out.body_md = candidate.body_md;
+        if (typeof candidate.text === "string")
+            out.text = candidate.text;
+        return [out];
+    });
+}
+function isSafePackagePath(path) {
+    if (!path || path.length > 512 || path.startsWith("/") || path.includes("\\") || path.includes("//"))
+        return false;
+    const segments = path.split("/");
+    if (segments.length < 2)
+        return false;
+    if (!SUPPORT_DIRS.has(segments[0] ?? ""))
+        return false;
+    return segments.every((segment) => PATH_SEGMENT_RE.test(segment) && segment !== "." && segment !== "..");
+}